VULNERABILITY ASSESSMENT METHODOLOGY. Electric Power Infrastructure

Transcription

1 VULNERABILITY ASSESSMENT METHODOLOGY Electric Power Infrastructure U.S. Department of Energy Office of Energy Assurance September 30, 2002

2 CONTENTS 1 Introduction Vulnerability Assessment Process Pre-Assessment Vulnerability Assessment Methodology Post-Assessment Appendix A: Critical Assets Methodology Appendix B: Request for Information FIGURES 2.1 Vulnerability Assessment Phases Example Risk Management Process C.10.1 Estimating Expected Damage to Assets TABLES A.1 Criticality/Consequence Dimensions and Attributes A.2 Critical Asset Listing C.2.1 List of Organizations to Contact for Threat Information C.4.1 Physical Security Program C.4.2 Physical Security Barriers C.4.3 Physical Security Access Control/Badges C.4.4 Physical Security Locks/Keys C.4.5 Physical Security Intrusion Detection Systems C.4.6 Physical Security Communications Equipment C.4.7 Protective Force/Local Law Enforcement Agency C.4.8 Entrances into Critical Asset Areas C.4.9 Surfaces Surrounding Critical Asset Areas C.4.10 Fences Surrounding Critical Asset Areas C.4.11 Vehicle Gates through Critical Asset Area Fences C.6.1 Human Resources Security Procedures C.6.2 Facility Engineering C.6.3 Facility Operations C.6.4 Administrative Support Organizations C.6.5 Telecommunications and Information Technology C.6.6 Publicly Released Information C.6.7 Trash and Waste Handling C.7.1 List of Interview Candidates for Policies and Procedures Element C.8.1 Estimates of Unit Costs of Outages C.8.2 Estimated Value of a Utility Energy 24-hour Outage C.9.1 Infrastructure Oversight and Procedures

3 TABLES (Cont d.) C.9.2 Electric Power Supply and Distribution C.9.3 Petroleum Fuels Supply and Storage C.9.4 Natural Gas Supply C.9.5 Telecommunications C.9.6 Transportation C.9.7 Water and Water System C.9.8 Emergency Services C.9.9 Internal Computers and Servers C.9.10 HVAC System C.9.11 Fire Suppression and Fire Fighting System C.9.12 SCADA System C.9.13 Physical Security System C.9.14 Financial System C.10.1 Asset Attractiveness Scale C.10.2 Level of Consequence Scale C.10.3 Technical and Cultural Difficulty Scale C.10.4 Dependency on Other Infrastructures Scale C.10.5 Risk Characterization of Recommendations C.10.6 Categorization of Recommendations C.10.7 Lowest-cost Recommendations C.10.8 Recommendations with the Largest Increases in Probability of Preventing C.10.9 an Aggressor Attempt Recommendations with the Largest Increases in Probability of Preventing Aggressor Success, Given an Attempt Is Not Prevented C Recommendations that Address Extremely Attractive Assets C Recommendations that Address High-consequence Assets

4 1 INTRODUCTION 1.1 OBJECTIVE Effective operation of the U.S. energy infrastructure the electric power, oil, and natural gas production, transmission, and distribution systems that fuel and power our economy is critical to the health and safety, national security, and economic viability of our nation. As the lead agency for the energy industry, the U.S. Department of Energy (DOE) is increasingly concerned about the reliability and security of this critical infrastructure and, in particular, about the possibility of terrorist attacks that could target that infrastructure. The possibility of terrorist attacks is especially problematic in the post-september 11 th world. This report is an update to Vulnerability and Risk Analysis Program: Overview of Assessment Methodology, September 28, The initial report provided a high-level overview of the vulnerability assessment methodology being developed and validated by DOE s Office of Energy Assurance (OEA) as part of its multifaceted mission to work with the energy sector in developing the capability required to protect our nation s energy infrastructures. This updated report focuses specifically on a methodology that has been applied to the electric power infrastructure and at a more detailed level. Over the last five years, a team of national laboratory experts, working in partnership with the energy industry, has successfully applied the methodology as part of OEA s Vulnerability Assessment Program (VAP) to help energy-sector organizations identify and understand the threats to and vulnerabilities (physical and cyber) of their infrastructures. Lessons learned from these assessments, as well as best practice approaches to mitigate vulnerabilities, are being continuing to be documented in related reports. The purpose of this report is to provide a methodology resource for the electric power industry. No one vulnerability assessment methodology has all the answers. Companies should consider for themselves the applicability of the vulnerability assessment elements to their individual situation. Each company should determine which elements are applicable (if any) along with the appropriate level of detail. 1.2 BACKGROUND The primary mission of OEA is to work with the national energy sector in developing the capability required for assuring the nation s energy infrastructures. This mission encompasses the physical and cyber components of the electric power, oil, and natural gas infrastructures, the interdependencies among these components, and the interdependencies with the other critical national infrastructures. The mission also includes identifying DOE technologies and capabilities that can help assure our nation s critical energy infrastructures and facilitating their use by the private sector and other federal agencies. VAP is an integral part of the overall OEA strategy in critical infrastructure protection where the Department, as the federal government lead agency for the energy sector, partners with industry to address vital issues of mutual interest. The specific objective of the program is to partner with 4

5 the energy industry (electric power, oil, and natural gas) to develop and implement a vulnerability awareness and education program for their sector to enhance the security of the energy infrastructure, as directed by PDD-63. To accomplish the mission, the program is designed to develop, validate, and disseminate assessment and survey methodologies with associated tools to assist in the implementation; provide training and technical assistance; and stimulate action to mitigate significant problems. Fourteen vulnerability assessments (and 20 vulnerability surveys/quick-turnaround assessments) have been completed under this initiative (several more are in progress and in the planning stages). To date, 13 of the vulnerability assessments and 10 of the vulnerability surveys have focused on the electric power infrastructure. Facilities examined included generation, transmission, and distribution facilities along with independent system operators. Assessments addressed key energy organizations whose operations, if disrupted, would have broad regional or national impact. This report presents the methodology that was performed on these electric power facilities. 1.3 REPORT ORGANIZATION The remainder of this report is organized as follows. Section 1.4 discusses the benefits of vulnerability assessments and surveys. Section 2 discusses the motivation for the Vulnerability Assessment Program and provides an overview of the three steps in the assessment process pre-assessment, assessment, and post-assessment. Sections 3, 4, and 5 discuss each of these steps. 1.4 BENEFITS OF ASSESSMENTS Energy utilities should routinely perform vulnerability assessments to better understand threats and vulnerabilities, determine acceptable levels of risk, and stimulate action to mitigate identified vulnerabilities. The direct benefits of performing a vulnerability assessment include: Build and broaden awareness. The assessment process directs senior management s attention to security. Security issues, risks, vulnerabilities, mitigation options, and best practices are brought to the surface. Awareness is one of the least expensive and most effective methods for improving the organization s overall security posture. Establish or evaluate against a baseline. If a baseline has been previously established, an assessment is an opportunity for a checkup to gauge the improvement or deterioration of an organization s security posture. If no previous baseline has been performed (or the work was not uniform or comprehensive), an assessment is an opportunity to integrate and unify previous efforts, define common metrics, and establish a definitive baseline. The baseline also can be compared against best practices to provide perspective on an organization s security posture. 5

6 Identify vulnerabilities and develop responses. Generating lists of vulnerabilities and potential responses is usually a core activity and outcome of an assessment. Sometimes, due to budget, time, complexity, and risk considerations, the response selected for many of the vulnerabilities may be non-action, but after completing the assessment process, these decisions will be conscious ones, with a documented decision process and item-byitem rationale available for revisiting issues at scheduled intervals. This information can help drive or motivate the development of a risk management process. Categorize key assets and drive the risk management process. An assessment can be a vehicle for reaching corporate-wide consensus on a hierarchy of key assets. This ranking, combined with threat, vulnerability, and risk analysis, is at the heart of any risk management process. For many organizations, the Y2K threat was the first time a company-wide inventory and ranking of key assets was attempted. An assessment allows an organization to revisit that list from a broader and more comprehensive perspective. Develop and build internal skills and expertise. A security assessment, when not implemented in an audit mode, can serve as an excellent opportunity to build security skills and expertise within an organization. A well-structured assessment can have elements that serve as a forum for cross-cutting groups to come together and share issues, experiences, and expertise. External assessors can be instructed to emphasize teaching and collaborating rather than evaluating (the traditional role). Whatever an organization s current level of sophistication, a long-term goal should be to move that organization toward a capability for self-assessment. Promote action. Although disparate security efforts may be underway in an organization, an assessment can crystallize and focus management attention and resources on solving specific and systemic security problems. Often the people in the trenches are well aware of security issues (and even potential solutions) but are unable to convert their awareness to action. An assessment provides an outlet for their concerns and the potential to surface these issues at appropriate levels (legal, financial, executive) and achieve action. A well-designed and executed assessment not only identifies vulnerabilities and makes recommendations, it also gains executive buy-in, identifies key players, and establishes a set of cross-cutting groups that can convert those recommendations into action. Kick off an ongoing security effort. An assessment can be used as a catalyst to involve people throughout the organization in security issues, build cross-cutting teams, establish permanent forums and councils, and harness the momentum generated by the assessment to build an ongoing institutional security effort. The assessment can lead to the creation of either an actual or a virtual (matrixed) security organization. 6

7 2 VULNERABILITY ASSESSMENT PROCESS Figure 2.1 provides an overview of the assessment methodology. As shown, the methodology is divided into three basic phases: pre-assessment, assessment, and post-assessment. Each phase consists of a series of elements or tasks that have been designed by the VAP team of national laboratory experts. Lessons learned have been captured and used to enhance and, when appropriate, expand the methodology. The specific elements or tasks associated with each assessment phase can be tailored to meet specific assessment objectives. Although the methodology has incorporated unique elements that leverage the expertise of the national laboratories, the methodology can be adapted for self-assessment. A number of assessment techniques, methods, and approaches used by other organizations (public and private-sector) have been examined in developing the methodology shown in Figure 2.1. This includes information gathered through open literature, presentations, classroom instructions, and discussions. In addition, elements of the methodology have been derived from ongoing DOE security and infrastructure assurance programs. In particular, the significant investment by DOE in the development of policies, procedures, processes, and technologies to solve the challenge of protecting the nation s most sensitive information and special nuclear materials has provided a foundation for this initiative. The basic VAP philosophy is to leverage vulnerability assessment techniques, methods, and approaches that have proven to be useful and useable. 7

8 Pre - Assessment Define Scope Objectives of Assessment and Scope of Assessment Establish Information Protection Procedures Identify and Rank Critical Assets Terms of Reference Assessment Analyze Network Architecture Assess Threat Environment Conduct Penetration Testing Assess Physical Security Conduct Physical Asset Analysis Assess Operations Security Examine Policies and Procedures Conduct Impact Analysis Assess Infrastructure Interdependencies Conduct Risk Characterization Findings and Recommendations Lessons Learned and Methodology Improvements Post - Assessment Prioritize Recommendations Develop Action Plan Capture Lessons Learned and Best Practices Conduct Training Figure 2.1 Vulnerability Assessment Phases 8

9 3 PRE-ASSESSMENT The pre-assessment phase involves defining the scope of the assessment, establishing appropriate information protection procedures, and identifying and ranking critical assets. Each of these activities is critical in ensuring the success of the assessment. 3.1 SCOPE OF ASSESSMENT A wide range of activities are involved in defining the scope of the assessment. These include identifying the assessment objectives and measures of success, specifying the elements of the methodology that will be included in the assessment, engaging knowledgeable personnel and ensuring access to resources and information, deciding on the type of assessment (internal, facilitated, external, hybrid) to be conducted, and developing an assessment schedule. Assessment objectives and measures of success define the assessment and must be tailored to the organization. Possible objectives include the following: Identify all critical vulnerabilities physical, cyber, and interdependencies and develop appropriate response options. Identify and rank all key assets from a security perspective. Develop the business case for making security investments and organizational changes that will enhance security. Enhance awareness and make security an integral part of the business strategy. The process of setting the assessment objectives will help to define the specific elements of the methodology that will be included in the assessment. As shown in Figure 2.1, 10 assessment elements are included in the methodology. The appropriateness of each and the level of detail must be examined in the context of the assessment objectives. As defined below, there are four basic strategies for conducting assessments: Internal. In-house technical and organizational expertise is used to perform the assessment. In most cases, internal staff members have the distinct advantage of having a clear understanding of the domain, organization, technology, and policies and practices currently in effect. In addition, in-house experts often bring both a historical perspective and a sense of future plans. Facilitated. In-house technical experts, guided by an outside facilitator, are used to perform the assessment. This option allows a company to offload the organizational and methodological aspects of the assessment to the facilitator and more efficiently leverage internal staff for their specific domain and technical expertise. 9

10 External. An external assessment team, such as the OEA national laboratory vulnerability assessment team or a private contractor, conducts the assessment. This approach bring outside objectivity, intra- and inter-industry perspectives, visibility into trends and benchmarks, access to specialized staff with specific expertise, and oftentimes increased credibility with executive management. Hybrid. Internal staff members perform some elements or tasks, and external experts conduct others. Because organizations typically do not have the breadth or depth of in-house expertise available to conduct comprehensive vulnerability assessments of the scope defined in Figure 2.1, external expertise is both necessary and desirable. It is also important to note that effective planning, scheduling, coordination, and logistics are as important to completing a successful assessment as assembling a qualified assessment team. If external expertise is used, well-defined information protection procedures must be established. When the OEA national laboratory team conducts an assessment, a nondisclosure agreement is typically developed that defines the policies for the storage, transmission, handling, and disposition of all sensitive data gathered and generated during the assessment. 3.2 CRITICAL ASSET IDENTIFICATION The final pre-assessment task is to identify and rank critical assets. This is an enterprise-wide ranking of the vital systems, facilities, processes, and information necessary to maintain continuity of service. The objective is to focus the assessment and support the risk analysis process (a process that culminates in ranked options for action). Lists created for Y2K and contingency planning can be a helpful starting point, but a careful analysis of critical assets is needed to ensure that current threats and new critical infrastructure assurance considerations, such as interdependencies, are addressed. Modern enterprises seek to manage risk in a manner that manages cost while providing adequate protection or mitigation against loss. Delineating the relative importance of corporate assets is necessary for managing risk, but determining their specific importance or criticality is rarely straightforward, particularly in large and complex organizations. The role of critical asset identification within a risk management structure is described. The method (a workshop) of taking the first steps in identifying and categorizing the assets is then described, along with sample results. Role of Critical Asset Identification in Risk Management The general objective of critical asset identification is straightforward to identify and prioritize assets according to how critical they are to the company. The result is used to focus the vulnerability assessment. For example, if a supervisory control and data acquisition (SCADA) system were ranked higher than a particular facility with a network, firewalls, etc., the SCADA system would be assessed (theoretically) before the facility network. Caution must be exercised, 10

11 however, to ensure the network does not provide access to the SCADA system, thus elevating it to the same priority. The results of the critical assets identification task are closely linked to the risk characterization task conducted later in the assessment. The primary difference is that the pre-assessment meeting that accomplishes this is the preliminary act of bringing together representatives from across the enterprise to delineate and prioritize assets for the vulnerability assessment. The risk characterization task focuses on the resulting investment and implementation priorities. It requires information on the criticality (or consequences of loss) for assets so that evaluation of the risk benefits or investment can be ranked. For example, assets with low criticality (e.g., whose disruption would result in low consequences) would not merit substantial investment in protection. Such evaluation requires a sense of the cost associated with the consequences, which can be obtained directly or indirectly by utility staff during the workshop. It is important to use an approach that evaluates all the important corporate assets against a common (across the enterprise) set of criteria. The result is a uniform enterprise-wide prioritization, rather than a business unit by business unit prioritization. This uniformity avoids the disparity in ranking that frequently develops when each business unit conducts its own prioritization. It also provides uniform treatment to common assets such as communications and information technology (IT) networks services. Identifying asset criticality is a vital element of assessing and managing risk. A typical securitybased risk management process is depicted in Figure 3.1. Asset Identification Determine Criticality/ Consequence of Loss Identify and Assess Threats DETERMINE RISK LEVEL DETERMINE ACCEPTABILITY OF RISK Probability of Loss High Medium Low Identify and Assess Vulnerabilities Consequence of Loss High Medium Low Unacceptable Risk Action Required Marginally Acceptable Risks Consider Action management may determine to accept the risk in writing Risks Acceptable No Action Repeat Until Acceptable Implementation Acceptable Perform Cost/Benefit Analysis Not Acceptable Identify Risk Reduction Options Figure 3.1 Example Risk Management Process (Source: adapted from Federal Aviation Agency, 2000) 11

12 Identification of asset criticality serves several functions: It enables more careful consideration of factors that affect risk, including threats, vulnerabilities, and consequences of loss or compromise of the asset. It enables more focused and thorough consideration of risk mitigation options. It enables leaders to develop robust methods for managing consequences of asset loss (restoration). It provides a means to increase awareness of a broad range of employees to protect truly critical assets and to differentiate in policies and procedures the heightened protection they require. As previously indicated, identifying the criticality of assets is used primarily to focus the vulnerability analysis efforts. It also assists with the ranking of the various recommendations for reducing vulnerabilities. Appendix A contains more detailed information on the critical asset methodology, including the critical asset workshop to assist in developing the list of critical assets for the facility. Potential electric power infrastructure critical assets can include: Physical Generators Substations Transformers Transmission lines Distribution lines Control center Warehouses (e.g., equipment, spare parts) Office buildings Internal and external infrastructure dependencies Cyber SCADA system Networks Databases Business systems (e.g., trading, accounting, human resources) Telecommunications Interdependencies Single-point nodes of failures Critical infrastructure components of high reliance 12

13 4 VULNERABILITY ASSESSMENT METHODOLOGY As shown in Figure 2.1, the assessment methodology consists of 10 elements. Each element along with its section numbering is listed below. 4.1 Network architecture 4.2 Threat environment 4.3 Penetration testing 4.4 Physical security 4.5 Physical asset analysis 4.6 Operations security 4.7 Policies and procedures 4.8 Impact analysis 4.9 Infrastructure interdependencies 4.10 Risk characterization High-level summaries from each element area are provided below. Appendix B contains the request for information for each element, and Appendix C contains more detailed information on the methodology used for each element, including the approach, process, and tips for each element. 4.1 NETWORK ARCHITECTURE This element provides an analysis of the information assurance features of the information network(s) associated with the organization s critical information systems. Information examined should include network topology and connectivity (including subnets), principal information assets, interface and communication protocols, function and linkage of major software and hardware components (especially those associated with information security such as intrusion detectors), and policies and procedures that govern security features of the network. Procedures for information assurance in the system, including authentication of access and management of access authorization, should be reviewed. The assessment should identify any obvious concerns related to architectural vulnerabilities, as well as operating procedures. Existing security plans should be evaluated, and the results of any prior testing should be analyzed. Results from the network architecture assessment should include potential recommendations for changes in the information architecture, functional areas and categories where testing is needed, and suggestions regarding system design that would enable more effective information and information system protection. Three techniques are used in conducting the network architecture assessment: 1. Analysis of network and system documentation during and after the site visit; 2. Interviews with facility staff, managers, and Chief Information Officer; and 3. Tours and physical inspections of key facilities. 13

14 (The request for information for network architecture is in Appendix B, Section B.1, and the methodology description is in Appendix C, Section C.1.) 4.2 THREAT ENVIRONMENT Development of a clear understanding of the threat environment is a fundamental element of risk management. When combined with an appreciation of the value of the information assets and systems, and the impact of unauthorized access and subsequent malicious activity, an understanding of threats provides a basis for better defining the level of investment needed to prevent such access. The threat of a terrorist attack to the electric power infrastructure is real and could come from several areas, including physical, cyber, and interdependency. In addition, threats could come from individuals or organizations motivated by financial gain or persons who derive pleasure from such penetration (e.g., recreational hackers, disgruntled employees). Other possible sources of threats are those who want to accomplish extremist goals (e.g., environmental terrorists, antinuclear advocates) or embarrass one or more organizations. This element should include a characterization of these and other threats, identification of trends in these threats, and ways in which vulnerabilities are exploited. To the extent possible, characterization of the threat environment should be localized, that is, within the organization s service area. (The request for information for threat environment is in Appendix B, Section B.2, and the methodology description is in Appendix C, Section C.2.) 4.3 PENETRATION TESTING The purpose of network penetration testing is to utilize active scanning and penetration tools to identify vulnerabilities that a determined adversary could easily exploit. Penetration testing can be customized to meet the specific needs and concerns of the utility. In general, penetration testing should include a test plan and details on the rules of engagement (ROE). It should also include a general characterization of the access points to the critical information systems and communication interface connections, modem network connections, access points to principal network routers, and other external connections. Finally, penetration testing should include identified vulnerabilities and, in particular, whether access could be gained to the control network or specific subsystems or devices that have a critical role in assuring continuity of service. Penetration testing consists of an overall process for establishing the ground rules or ROE for the test; establishing a white cell for continuous communication; developing a format or methodology for the test; conducting the test; and generating a final report that details methods, findings, and recommendations. 14

15 Penetration testing methodology consists of three phases: reconnaissance, scenario development, and exploitation. A one-time penetration test can provide the utility with valuable feedback; however, it is far more effective if performed on a regular basis. Repeated testing is recommended because new threats develop continuously, and the networks, computers, and architecture of the utility are likely to change over time. (The request for information for penetration testing is in Appendix B, Section B.3, and the methodology description is in Appendix C, Section C.3.) 4.4 PHYSICAL SECURITY The purpose of physical security assessment is to examine and evaluate the systems in place (or being planned) and to identify potential improvements in this area for the sites evaluated. Physical security systems include access controls, barriers, locks and keys, badges and passes, intrusion detection devices and associated alarm reporting and display, closed-circuit television (assessment and surveillance), communications equipment (telephone, two-way radio, intercom, cellular), lighting (interior and exterior), power sources (line, battery, generator), inventory control, postings (signs), security system wiring, and protective force. Physical security systems are reviewed for design, installation, operation, maintenance, and testing. The physical security assessment should focus on those sites directly related to the critical facilities, including information systems and assets required for operation. Typically included are facilities that house critical equipment or information assets or networks dedicated to the operation of electric or gas transmission, storage, or delivery systems. Other facilities can be included on the basis of criteria specified by the organization being assessed. Appropriate levels of physical security are contingent upon the value of company assets, the potential threats to these assets, and the cost associated with protecting the assets. Once the cost of implementing/maintaining physical security programs is known, it can be compared to the value of the company assets, thus providing the necessary information for risk management decisions. The focus of the physical security assessment task is determined by prioritizing the company assets; that is, the most critical assets receive the majority of the assessment activity. At the start of the assessment, survey personnel should develop a prioritized listing of company assets (see Appendix A). This list should be discussed with company personnel to identify areas of security strengths and weaknesses. During these initial interviews, assessment areas that would provide the most benefit to the company should be identified; once known, they should become the major focus of the assessment activities. The physical security assessment of each focus area usually consists of the following: Physical security program (general) Physical security program (planning) Barriers Access controls/badges Locks/keys 15

16 Intrusion detection systems Communications equipment Protective force/local law enforcement agency The key to reviewing the above topics is not to just identify if they exist but to determine the appropriate level that is necessary and consistent with the value of the asset being protected. The physical security assessment worksheets provide guidance on appropriate levels of protection. Once the focus and content of the assessment task have been identified, the approach to conducting the assessment can be either at the implementation level or at the organizational level. The approach taken depends on the maturity of the security program. For example, a company with a solid security infrastructure (staffing, plans/procedures, funding) should receive a cursory review of these items; however, facilities where the security programs are being implemented should receive a detailed review. The security staff can act upon deficiencies found at the facilities, once reported. For companies with an insufficient security organization, the majority of time spent on the assessment should take place at the organizational level to identify the appropriate staffing / funding necessary to implement security programs to protect company assets. Research into specific facility deficiencies should be limited to finding just enough examples to support any staffing / funding recommendations. (The request for information for physical security is in Appendix B, Section B.4, and the methodology description is in Appendix C, Section C.4.) 4.5 PHYSICAL ASSET ANALYSIS The purpose of the physical asset analysis is to examine the systems and physical operational assets to ascertain whether vulnerabilities exist. Included in this element is an examination of asset utilization, system redundancies, and emergency operating procedures. Consideration should also be given to the topology and operating practices for electric and gas transmission, processing, storage, and delivery, looking specifically for those elements that either singly or in concert with other factors provide a high potential for disrupting service. This portion of the assessment determines company and industry trends regarding these physical assets. Historic trends, such as asset utilization, maintenance, new infrastructure investments, spare parts, SCADA linkages, and field personnel are part of the scoping element (see Section 3.1). The proposed methodology for physical assets is based on a macro-level approach. The analysis can be performed with company data, public data, or both. Some companies might not have readily available data or might be reluctant to share that data. Key output from analysis should be graphs that show trends. The historic data analysis should be supplemented with on-site interviews and visits. Items to focus on during a site visit include the following: 16

17 Trends in field staffing Trends in maintenance expenditures Trends in infrastructure investments Historic infrastructure outages Critical system components and potential system bottlenecks Overall system operation controls Use and dependency of SCADA systems Linkages of operation staff with physical and IT security Adequate policies and procedures Communications with other regional utilities Communications with external infrastructure providers Adequate organizational structure (The request for information for physical asset analysis is in Appendix B, Section B.5, and the methodology description is in Appendix C, Section C.5.) 4.6 OPERATIONS SECURITY Operations security (OPSEC) is the systematic process of denying potential adversaries (including competitors or their agents) information about capabilities and intentions of the host organization. OPSEC involves identifying, controlling, and protecting generally nonsensitive activities concerning planning and execution of sensitive activities. The OPSEC assessment reviews the processes and practices employed for denying adversary access to sensitive and nonsensitive information that might inappropriately aid or abet an individual s or organization s disproportionate influence over system operation (e.g., electric markets, grid operations). This assessment should include a review of security training and awareness programs, discussions with key staff, and tours of appropriate principal facilities. Information that might be available through public access should also be reviewed. (The request for information for operations security is in Appendix B, Section B.6, and the methodology description is in Appendix C, Section C.6.) 4.7 POLICIES AND PROCEDURES The policies and procedures by which security is administered (1) provide the basis for identifying and resolving issues; (2) establish the standards of reference for policy implementation; and (3) define and communicate roles, responsibilities, authorities, and accountabilities (R 2 A 2 ) for all individuals and organizations that interface with critical systems. They are the backbone for decisions and day-to-day security operations. Security policies and procedures become particularly important at times when multiple parties must interact to effect a desired level of security and when substantial legal ramifications could result from policy violations. Policies and procedures should be reviewed to determine whether they (1) address the key factors affecting security; (2) enable effective compliance, implementation, and 17

18 enforcement; (3) reference or conform to established standards; (4) provide clear and comprehensive guidance; and (5) effectively address the R 2 A 2. The objective of the policies and procedures assessment task is to develop a comprehensive understanding of how a facility protects its critical assets through the development and implementation of policies and procedures. Understanding and assessing this area provide a means of identifying strengths and areas for improvements that can be achieved through: Modification of current policies and procedures Implementation of current policies and procedures Development and implementation of new policies and procedures Assurance of compliance with policies and procedures Cancellation of policies and procedures that are no longer relevant, or are inappropriate, for the facility s current strategy and operations (The request for information for policies and procedures is in Appendix B, Section B.7, and the methodology description is in Appendix C, Section C.7.) 4.8 IMPACT ANALYSIS A detailed analysis should be conducted to determine the influence that exploitation of unauthorized access to critical facilities or information systems might have on an organization s operations (e.g., market and/or physical operations). In general, such an analysis would require thorough understanding of (1) the applications and their information processing, (2) decisions influenced by this information, (3) independent checks and balances that might exist regarding information upon which decisions are made, (4) factors that might mitigate the impact of unauthorized access, and (5) secondary impacts of such access (e.g., potential destabilization of organizations serving the grid, particularly those affecting reliability or safety). Similarly, the physical chain of events following disruption, including the primary, secondary, and tertiary impacts of disruption, should be examined. The purpose of the impact analysis is to help estimate the impact that outages could have on a utility. Outages in electric power, natural gas, and oil can have significant financial and external consequences to a utility. The impact analysis provides an introduction to risk characterization by providing quantitative estimates of these impacts so that the utility can implement a risk management program and weigh the risks and costs of various mitigation measures. (The request for information for impact analysis is in Appendix B, Section B.8, and the methodology description is in Appendix C, Section C.8.) 4.9 INFRASTRUCTURE INTERDEPENDENCIES The term infrastructure interdependencies refers to the physical and electronic (cyber) linkages within and among our nation s critical infrastructures energy (electric power, 18

19 oil, natural gas), telecommunications, transportation, water supply systems, banking and finance, emergency services, and government services. This task identifies the direct infrastructure linkages between and among the infrastructures that support critical facilities as recognized by the organization. Performance of this task requires a detailed understanding of an organization s functions, internal infrastructures, and how these link to external infrastructures. The purpose of the infrastructure interdependencies assessment is to examine and evaluate the infrastructures (internal and external) that support critical facility functions, along with their associated interdependencies and vulnerabilities. (The request for information for infrastructure interdependencies is in Appendix B, Section B.9, and the methodology description is in Appendix C, Section C.9.) 4.10 RISK CHARACTERIZATION Risk characterization provides a framework for prioritizing recommendations across all task areas. The recommendations for each task area are judged against a set of criteria to help prioritize the recommendations and assist the organization in determining the appropriate course of action. It provides a framework for assessing vulnerabilities, threats, and potential impacts (determined in the other tasks). In addition, the existing risk analysis and management process at the organization should be reviewed and, if appropriate, utilized for prioritizing recommendations. The degree to which corporate risk management includes security factors is also evaluated. (The request for information for risk characterization is in Appendix B, Section B.10, and the methodology description is in Appendix C, Section C.10.) 19

20 5 POST-ASSESSMENT The post-assessment phase involves prioritizing assessment recommendations, developing an action plan, capturing lessons learned and best practices, and conducting training. The risk characterization element results provide the basis for the post-assessment by providing prioritized lists of recommendations that are ranked by key criteria. The company should take the prioritized lists and validate the recommendations and costs. Recommendations that are low cost or result in cost savings should be singled out for special attention. Other recommendations, however, might require formidable financial resources for implementation and require knowledge of the current company financial situation and posture toward risk. Each company should carefully evaluate the costs and benefits of each recommendation. Recommendations compared in this section include making trade-offs in improvements in each of the other element areas. For example, which physical security measures should be selected versus changes in policies and procedures and network architecture? These are difficult decisions to make and a risk management framework combined with a diverse group of company decision makers should be a part of this decision making process. The next step is to develop an action plan that includes timelines, staffing assignments, and budgets to implement the proposed recommendations. Lessons learned should be captured along the way to improve the overall process in the future. Training and other technical support activities, such as workshops, are also appropriate throughout the process. 20

21 Appendix A: Critical Assets Methodology APPENDIX A: CRITICAL ASSETS METHODOLOGY Critical Asset Identification One approach used to identify critical assets is to conduct a Pre-Assessment Workshop. This is a facilitated workshop involving representatives from a wide diversity of organizational elements. It can provide a cost-effective, one-day session to generate an estimate that is adequate for initiating the assessment process. The workshop is conducted on the basis of three general steps: The definitions and attributes of criticality are reviewed. The corporate assets list is generated, based on an intuitive basis of criticality. Consensus is reached on the individual assets evaluated and ranked against those attributes. In addition, a separate listing of special focus areas can be developed. This can provide flexibility for including extraordinary items, that might not otherwise qualify under the criteria, but which are viewed to be sufficiently important to warrant inclusion in the assessment. It is important that the Pre-Assessment Workshop have representation from all sectors of the enterprise that have or control valuable assets or processes. The representatives should have a reasonable understanding of the operational workings of the company, as well as finance, auditing, risk management, and security. It is not unusual, for example, for the audit group to provide a uniquely balanced perspective of the nontangible assets criticality. Minimum representation from the following elements is suggested: Corporate Security (or information technology [IT] Security, Physical Security), IT, Administration, Legal, Operations (such as Generation, Transmission, Distribution, Gas Storage, etc.), Audit & Risk Management, Finance, and Human Resources. All representatives need to come to the workshop with their organizations list of critical assets and be prepared to discuss the corporate ranking of the assets. Consequence Basis for Critical Asset Identification The first step in determining critical assets is to define criticality. Criticality is in the eye of the beholder, and therefore a diverse set of corporate perspectives and knowledge sets must be represented when defining it. The initial workshop will be the first experience many of the participants will have in this type of endeavor. It is reasonable to expect that some time will be spent instructing the participants in the process and achieving consensus on issues such as the criticality criteria and attributes. 21

22 Appendix A: Critical Assets Methodology The primary basis for considering criticality is the severity of consequences associated with loss or compromise of the asset. The consequences of asset loss or compromise can have many different dimensions. Therefore, the first portion of the workshop will concentrate on reviewing the determination of those dimensions and associating attributes with different levels of consequences. Three levels of criticality (consequences) may be used for the initial Pre- Assessment Workshop. This is for ease of analysis and documentation, and recognizes that finer resolution may be difficult in an initial exercise of this type. The dimensions of criticality determined are likely to be similar to those of many organizations; however, the attributes that distinguish between various levels of criticality may be unique. A general guide for developing the criteria for criticality for an energy industry vulnerability assessment might consider the following. An asset (facility, IT system, node, or network) is considered critical if its destruction, incapacitation, or compromise would: Jeopardize the company s long term survival Have a serious, harmful effect on the company Adversely affect the company s operations or image Require near-term, if not immediate remediation The participants may wish to identify specific, recognizable events or symptoms for each criterion to provide a more clearly defined trigger. For example, they may define the high attribute as, Would this result in immediate action by the Board of Directors or CEO, and use it as a discriminator to determine critical consequences. Ranking of recommendations is done in the risk characterization task, but it requires identification of financial consequences of asset loss. For instance, financial losses are defined for each attribute level ranging from a high level (e.g., greater than $1 billion) to a low level (e.g., less than $50,000). An approach used in some risk assessments assigns five levels (as opposed to three above) with an appropriate financial consequence associated with each level. Financial consequences of the loss of some assets are difficult to estimate. For these, financial consequences can be assigned because they are valued at a level of similar impact. Hence, the financial consequences can be assumed to be similar. For instance, one might equate the impact of the loss of brand name (which is difficult to assess financially) with the loss of a major facility (whose financial impact is easier to estimate). For evaluating the cost-benefit of mitigating the risks associated with these assets, it would be assumed that they have the same financial consequence if compromised. It is important to recognize that many of the assets, functions, processes, systems, etc., that are part of a company are very important, but not declared critical. This should not be interpreted as a determination that such assets offer little risk and thus should not be protected. At most, it means that consequences of loss place it lower on the hierarchy for thorough assessment and investment for remediation. 22

23 Appendix A: Critical Assets Methodology Risks to such assets may still be significant if the threats and vulnerabilities are high. However, many of the measures (e.g., policies and procedures, badging) used to address assets that are more critical also facilitate risk reduction broadly for all assets, including those designated a lower level of criticality. Conversely, an absence of broadly applied security measures, including policies and procedures, increases vulnerability for critical assets for obvious reasons. It also has the indirect effect of increasing vulnerability due to a lack of uniformly educated and alert staff. Table A.1 provides an example of criticality/consequence dimensions and attributes. The actual dimensions and attributes will vary by company and should be developed by the participants in the workshop. A broad range of attributes should be explored, focusing on attributes that can identify assets that if lost, disrupted, or compromised would have significant consequences. Table A.1 Criticality/Consequence Dimensions and Attributes Criticality/Consequence Dimensions Item High (Board of Directors/CEO) Criticality/ Consequence Attributes CONSEQUENCE Medium Low Legal Liability o Property damage Mitigated by insurance Mitigated by insurance o Health and safety Multiple loss of life Loss of life Minor injury, lost time o Customer relations o Service interruption Regional loss of service, >48 hrs Regional loss of service, long term System-wide loss of service Industrial/large commercial outage, safety health (hospital, nursing home) Localized loss of service Small commercial/residential outage Environmental, Safety and Health o Regulatory, environment and safety o Employee and labor relations Multiple loss of life, major environmental release Property-wide strike and sick-in, service disruption Criminal consequence for corp. officer or major negative media event Property-wide strike Minor violation or media exposure Breach of trust, uncoordinated strike Financial o Shareholder value Bond rating devaluation to well below investment grade Bond rating drop of 3 levels, stock devaluation of $500 million Bond rating drop of 1 level 23